yahoo-eng-team team mailing list archive

[Mike Dorman <mdorman@xxxxxxxxxxx>]

Public bug reported:

When using an external user catalog (in our case, AD), if the user is
removed on the backend catalog, the user-role-* keystone CLI commands no
longer work, because keystone cannot look up the user.

The specific situation is a user had been granted roles on some
projects, but then that uesr left the company and was removed from the
backend directory.  When going back to remove the roles assigned to that
user, the keystone commands fail.

It may still be possible to do these operations directly through the
API, I didn't check that.  But ultimately was able to work around it by
directly removing the entries in the keystone user_project_metadata
table.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1321378

Title:
  keystone user-role-* operations fail when user no longer exists in
  underlying catalog

Status in OpenStack Identity (Keystone):
  New

Bug description:
  When using an external user catalog (in our case, AD), if the user is
  removed on the backend catalog, the user-role-* keystone CLI commands
  no longer work, because keystone cannot look up the user.

  The specific situation is a user had been granted roles on some
  projects, but then that uesr left the company and was removed from the
  backend directory.  When going back to remove the roles assigned to
  that user, the keystone commands fail.

  It may still be possible to do these operations directly through the
  API, I didn't check that.  But ultimately was able to work around it
  by directly removing the entries in the keystone user_project_metadata
  table.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1321378/+subscriptions